Malware Analysis Report

2024-09-11 15:30

Sample ID 240612-pjx52aybpl
Target a0a74b0151fe253f32af6271c82358f7_JaffaCakes118
SHA256 8d9b282bd48f1e3677abcdb3edaa9cf561a79ab608acfc62875b039bd83a8e5e
Tags
vidar discovery spyware stealer 237
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8d9b282bd48f1e3677abcdb3edaa9cf561a79ab608acfc62875b039bd83a8e5e

Threat Level: Known bad

The file a0a74b0151fe253f32af6271c82358f7_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

vidar discovery spyware stealer 237

Vidar family

Vidar

Vidar Stealer

Reads local data of messenger clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses 2FA software files, possible credential harvesting

Looks up external IP address via web service

Checks installed software on the system

Unsigned PE

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-12 12:22

Signatures

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Vidar family

vidar

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 12:22

Reported

2024-06-12 12:24

Platform

win7-20240611-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0a74b0151fe253f32af6271c82358f7_JaffaCakes118.exe"

Signatures

Vidar

stealer vidar

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a0a74b0151fe253f32af6271c82358f7_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\a0a74b0151fe253f32af6271c82358f7_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0a74b0151fe253f32af6271c82358f7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0a74b0151fe253f32af6271c82358f7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0a74b0151fe253f32af6271c82358f7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0a74b0151fe253f32af6271c82358f7_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a0a74b0151fe253f32af6271c82358f7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a0a74b0151fe253f32af6271c82358f7_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 search.ac.ug udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 12:22

Reported

2024-06-12 12:24

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0a74b0151fe253f32af6271c82358f7_JaffaCakes118.exe"

Signatures

Vidar

stealer vidar

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\a0a74b0151fe253f32af6271c82358f7_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\a0a74b0151fe253f32af6271c82358f7_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0a74b0151fe253f32af6271c82358f7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0a74b0151fe253f32af6271c82358f7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0a74b0151fe253f32af6271c82358f7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0a74b0151fe253f32af6271c82358f7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0a74b0151fe253f32af6271c82358f7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0a74b0151fe253f32af6271c82358f7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0a74b0151fe253f32af6271c82358f7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0a74b0151fe253f32af6271c82358f7_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a0a74b0151fe253f32af6271c82358f7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a0a74b0151fe253f32af6271c82358f7_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 search.ac.ug udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 search.ac.ug udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A